Re: issues

To: nisse%lysator.liu.se@localhost (Niels Möller)
Subject: Re: issues
From: Mika Kojo <mkojo%ssh.com@localhost>
Date: Tue, 20 Mar 2001 00:24:18 +0200

Niels Möller writes:
[...]
> > (The usual 1024-bit Diffie-Hellman group gives security level similar
> > to a 80-bit block cipher. Here exponent must be more than
> > 160-bits---increasing it would not give any more security, but
> > decreasing it would indeed decrease security.)
> 
> If these figures are right, then the conclusion must be that we should
> offer some bigger groups. Either by adding some
> diffie-hellam-group2-sha1 key exchange method, or making the
> group-exchange mechanism mandatory.

It is an easy matter to use the complexity estimates for GNFS to see
that (say) RSA of 1024-bits gives about 80-bits of security when
measured in elementary bit operations. There is a paper by Lenstra and
Verheul on this if you want to see some interesting
tabulations. Recall that complexity estimates for discrete log and
factorization are pretty much equal (except for some minor bias in the
favour of discrete logs).

IPsec's IKE groups could be directly taken by SSH2, but even they
don't get yet close the 256-bit limit (which requires the mentioned
13K-bit primes).

Best regards, 
Mika Kojo
SSH Communications Security Corp

Follow-Ups:
- Re: issues
  - From: Tero Kivinen

References:
- issues
  - From: Niels Provos
- issues
  - From: Mika Kojo
- Re: issues
  - From: Niels Möller

Prev by Date: Re: issues
Next by Date: Re: Some SRP issues
Previous by Thread: Re: issues
Next by Thread: Re: issues
Indexes:

Home | Main Index | Thread Index | Old Index